Protect your company and employees by creating a dark web access policy to set protocol for investigations to mitigate security and legal challenges.

Threat actors and other criminals use the perceived anonymity of the dark web to facilitate a range of criminal activities — from marketplaces that offer counterfeit goods, illegal drugs, malware and data breach information to forums where human trafficking networks, terrorist cells and other bad actors can communicate.

Value in the dark web

While this criminal activity certainly makes the dark web a potentially dangerous place to visit, for those organizations seeking to identify, track and mitigate threats, it also serves as a valuable investigation source. Private sector organizations can benefit from responsible access to dark web activity to monitor cyberthreats or ensure the safety of customer data. For the public sector, particularly federal, state and local law enforcement, the need for dark web access to investigate criminal activity is clear.

Unfortunately, the dark web’s reputation as a criminal hangout and cybersecurity minefield also means many organizations are hesitant to venture in and gather valuable intelligence. IT and risk management may have concerns about granting analysts access to the dark web from corporate networks or putting their organization at risk for investigation by law enforcement. And some law enforcement agencies may not be fully leveraging the dark web to support their investigations due to lack of training or technical capabilities. A lot of these challenges can be overcome with development and implementation of a formal dark web access policy.

Whether your organization is interested in more visibility into the threats lurking on the dark web or engaged in advanced, active cyber defense or criminal investigation, it’s important to have a policy in place that outlines what activities are permissible and procedures for how they should be carried out. This is especially important when your research requires additional technical capabilities and takes you to criminal marketplaces.

Mitigating risks through dark web access policy

A formal, dark web access policy not only sets expectations and guidance on safe practices for end users, but also helps inform and alleviate concerns from other stakeholders in an organization who may only be familiar with the dangers of the darknet — and not its value to strategic investigations.

Of course, policy must be implemented to be effective. In this case, that means not only having the right technical tools for the job, but also the training, techniques and procedures to execute safely and effectively.

Last year, the Department of Justice’s Cybersecurity Unit issued guidance to the private sector on gathering cyberthreat intelligence in dark marketplaces. You can read the complete memo here. The DOJ’s recommendations are helpful for organizations to consider when crafting a dark web access policy and forming best practices laid out below.

(The memo and following discussion does not constitute legal advice. Authentic8 is prohibited from offering you legal advice. Please consult your attorney or your organization’s attorney for legal advice before undertaking the activities considered here.)

Creating a policy step-by-step

Create “rules of engagement”

“If your organization conducts activities described in this document, or is planning to do so, it should prepare ‘rules of engagement’ or a ‘compliance program’ with protocols that outline acceptable conduct for its personnel and contractors who interact with criminals and criminal organizations. Following deliberately crafted protocols that weigh legal, security and operational considerations beforehand will discourage rash decisions that could put an organization, its employees and its data in jeopardy. Having documented rules may also prove useful if the organization ever faces criminal, civil or regulatory action.”

—DOJ Cybersecurity Unit

Get approval from legal counsel

“An organization should also establish policies and protocols that have been vetted with its legal counsel to guide its employees’ and contractors’ activities on forums (and anywhere else). Having vetted ‘rules of engagement’ or a ‘compliance program; can help prevent personnel from accidentally or unintentionally putting their organization and its employees in legal jeopardy or risk compromising its security.”

—DOJ Cybersecurity Unit

Engage with law enforcement

“It may also be beneficial to inform law enforcement before engaging in these intelligence-gathering activities by building an ongoing relationship with the local FBI field office or Cyber Task Force and the local U.S. Secret Service field office or Electronic Crimes Task Force. Early engagement with law enforcement may also help ensure that a practitioner’s activities do not unintentionally interfere with an ongoing or anticipated investigation by law enforcement.”

—DOJ Cybersecurity Unit

Document plans and activity

“[Practitioners should] document their operational plans for conducting cyber threat intelligence gathering and keep records of their online activities and how information was gathered and used. In the event of a criminal investigation, such records may help establish that their conduct was legitimate cybersecurity activity and help law enforcement determine that a practitioner’s actions were executed in furtherance of the company’s legitimate cybersecurity operations, as opposed to the actions of a rogue employee engaged in illegal conduct.”

—DOJ Cybersecurity Unit

Keeping these recommendations in mind when developing a dark web access policy will help mitigate risk and protect your organization.

To learn more about how Authentic8’s Silo for Research can give online investigators secure, anonymous access to the surface, deep and dark web, download our data sheet.

More from our dark web blog series

Compliance Dark web basics